Integrity Failures with Hmac Signatures
How Integrity Failures Manifests in Hmac Signatures
HMAC (Hash-based Message Authentication Code) signatures are a cornerstone of API integrity verification, ensuring that requests and responses have not been tampered with in transit. When HMAC implementations are flawed, they create critical integrity failures that can lead to data manipulation, unauthorized actions, and privilege escalation. These failures manifest in specific, reproducible attack patterns directly tied to how HMAC is applied in code.
1. Algorithm Downgrade Attacks: Many APIs allow the client to specify the hashing algorithm (e.g., via a X-Signature-Algorithm header). An attacker can force the server to use a weak or broken hash function like SHA-1 or MD5. For example, if the server accepts algorithm=sha1 but also supports sha256, an attacker can downgrade to SHA-1, exploiting known collision weaknesses. A real-world instance is CVE-2020-28052, where a Java framework allowed algorithm downgrade from SHA-256 to SHA-1, enabling signature forgery.
2. Partial or Incomplete Signing: Developers sometimes sign only a subset of request parameters (e.g., just the path and query, omitting headers or body). An attacker can modify unsigned fields without invalidating the signature. Consider an e-commerce API that signs only the /order endpoint path but not the JSON body. An attacker could change {"price": 100} to {"price": 1} and the signature would still validate.
3. Key Exposure via Logs or Error Messages: If HMAC keys are logged (e.g., in debug logs) or leaked in error responses, an attacker can forge valid signatures for any request. This often happens when exception handlers print the full request context, including the Authorization header containing the key.
4. Signature Omission in Conditional Logic: Some endpoints skip signature verification for certain HTTP methods (e.g., GET) or when specific headers are present. An attacker can exploit this by crafting a request that bypasses the verification logic entirely.
5. Improper Key Derivation or Storage: Using a static, hard-coded key or deriving keys from predictable values (e.g., user ID) makes brute-force attacks feasible. Also, using the same key for encryption and integrity (violating key separation principles) can lead to cryptographic cross-contamination.
Hmac Signatures-Specific Detection
Detecting HMAC integrity failures requires testing the signature validation logic under adversarial conditions. middleBrick's unauthenticated black-box scanner actively probes for these weaknesses by manipulating requests and analyzing responses. Its Input Validation and Authentication checks (among its 12 parallel tests) include HMAC-specific probes.
Algorithm Downgrade Testing: The scanner sends the same request multiple times, each with a different algorithm parameter (if supported by the spec) or by modifying the X-Signature header format. For example, if the API expects sha256=abc123, the scanner tries sha1=def456 and observes if the server accepts it (e.g., returns 200 OK instead of 401). This identifies servers that blindly trust client-specified algorithms.
Partial Signing Detection: middleBrick modifies individual components of a signed request (path, query parameters, headers, body) while keeping the original signature intact. If the server processes the modified request successfully (e.g., creates an order with altered price), it indicates that not all critical elements were covered by the signature. The scanner cross-references the OpenAPI spec to see which parameters are declared as required and tests each one independently.
Signature Omission Probes: The scanner omits the Authorization or X-Signature header entirely for endpoints that require it. If the endpoint returns a successful response (200, 201) instead of an authentication error, it reveals a bypass. This is especially tested on GET endpoints where developers might mistakenly skip verification.
Key Exposure via Error Messages: middleBrick intentionally sends malformed signatures (e.g., wrong format, expired timestamps) and examines error responses. If the response body or headers contain the full signature string or key material, it flags a potential key leak.
You can run these checks yourself using middleBrick's CLI tool:
middlebrick scan https://api.example.com/v1/ordersHmac Signatures-Specific Remediation
Fixing HMAC integrity failures requires strict, consistent implementation of signature generation and verification. Below are language-specific examples that demonstrate secure patterns. Always use well-vetted cryptographic libraries; never implement HMAC manually.
Node.js (using the built-in crypto module): The common pitfall is using a weak hash (e.g., sha1) or comparing signatures with == (which is not constant-time and vulnerable to timing attacks).
const crypto = require('crypto');
// SECURE: Use SHA-256 or SHA-512, never SHA-1/MD5
const SECRET_KEY = process.env.HMAC_SECRET; // Never hard-code!
function generateHmac(payload, algorithm = 'sha256') {
return crypto.createHmac(algorithm, SECRET_KEY)
.update(JSON.stringify(payload))
.digest('hex');
}
function verifyHmac(payload, signature, algorithm = 'sha256') {
const expected = generateHmac(payload, algorithm);
// SECURE: Constant-time comparison prevents timing attacks
return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}
// Example usage in an Express middleware
app.use((req, res, next) => {
const payload = { method: req.method, path: req.path, body: req.body };
const clientSignature = req.get('X-Signature');
if (!verifyHmac(payload, clientSignature)) {
return res.status(401).json({ error: 'Invalid signature' });
}
next();
});Python (using hmac and hashlib): Avoid == for signature comparison; use hmac.compare_digest.
import hmac
import hashlib
import os
SECRET_KEY = os.environ.get('HMAC_SECRET').encode('utf-8') # Bytes
def generate_hmac(payload: dict, algorithm='sha256') -> str:
data = json.dumps(payload, separators=(',', ':')).encode('utf-8')
digest = hmac.new(SECRET_KEY, data, getattr(hashlib, algorithm))
return digest.hexdigest()
def verify_hmac(payload: dict, signature: str, algorithm='sha256') -> bool:
expected = generate_hmac(payload, algorithm)
# SECURE: Constant-time comparison
return hmac.compare_digest(signature, expected)
# Flask example
@app.before_request
def verify_signature():
if request.path.startswith('/api/'):
payload = {
'method': request.method,
'path': request.path,
'body': request.get_json(silent=True) or {}
}
client_sig = request.headers.get('X-Signature')
if not client_sig or not verify_hmac(payload, client_sig):
abort(401, 'Invalid signature')General Hardening Rules:
- Enforce a single strong algorithm (SHA-256 or SHA-512) server-side; ignore any client-specified algorithm.
- Sign all critical components: HTTP method, path, query parameters, headers (especially
Content-Type), and body (canonicalized). - Never expose keys: Store keys in environment variables or secret managers; never log them.
- Use constant-time comparison for all signature checks to prevent timing attacks.
- Rotate keys periodically and have a key revocation process.
- Include a timestamp/nonce in the signed payload to prevent replay attacks.
If you are using a framework (e.g., Spring Security, Django REST Framework), leverage its built-in HMAC utilities rather than rolling your own. For example, in Spring, use HmacUtils from Apache Commons Codec with SHA-256.
FAQ
- Q: Does using HTTPS eliminate the need for HMAC signatures?
A: No. HTTPS protects data in transit but does not guarantee integrity at the application layer. HMAC signatures protect against tampering at the API layer (e.g., if a proxy or CDN modifies headers/body) and provide non-repudiation. They are complementary, not substitutes. - Q: Can I use HMAC with SHA-1 for internal APIs?
A: No. SHA-1 is cryptographically broken (collision attacks are practical). Even internal APIs can be targeted by insider threats or lateral movement attacks. Always use SHA-256 or stronger. OWASP and NIST deprecated SHA-1 for digital signatures and HMAC.